All extensions must be secure, without viruses, malware, or vulnerabilities. That’s why we review the source code of each extension or theme submitted to our marketplace.
Actually I don't think reviewing code is necessary for this - you over-control this.
1. vendors can simply submit one copy and sell another copy of plugin - you can't control, but you have to take responsibilities - e.g you guaranteed to the public that this plugin is viruses-free and if customers found the virus, you need to explain, it will become your fault.
2. most of the vendors don't like to submit the code - although you replied "code won't get published", or "only I review the code", you have to explain "how will you protect other company's asset?" "will the code be stored safely? how to prove it if you say yes?" "How will you prevent the code won't get leaked to outside? will the approach be audited by 3rd party?" "How can you guarantee the nop team won't use my code?
I don't talk about if you have time to review all code - I assume you have tool to do it, but you have to explain all these kind of questions, in addition, you have to prepare the NDA to all vendors to sign, agree that the vendors can take legal actions when nop team leak or use vendor's company asset.
3. suggestion: the intention is good, but to achieve the "without viruses, malware, or vulnerabilities", I think nop team only can do limited things within the nop site only, you can't control the plugins on other site or on the internet, so I suggest you set up a resolution center, allow customers to submit a dispute, just like PayPal does, by doing this you can give vendors lower ranking or higher ranking, or totally block vendors to this site, you can't control vendor's site but you can control this site.